California Consumer Privacy Act (CCPA): What You Need To Know

California has just signed The California Consumer Privacy Act of 2018 (CCPA) into effect. This new consumer privacy law comes post Europe’s General Data Protection Regulation (GDPR) and, for some, is seen as a smaller version – without the option to opt-out of data collection all-together that the GDPR has.

Let’s see how this new bill is going to affect your business, and how you can prepare for success in the future regulatory landscape.

If nothing else, you need to know 5 things about CCPA.

Under the new law, residents of California have the right to:

– Know what personal information is being collected about them.

– Access that personal information.

– Know whether their personal information is disclosed, and if so, with whom.

– Know whether their personal information is sold. If so, they have the right to opt out of the sale.

– Equal service and price regardless of whether or not they exercise their privacy rights.

The CCPA In Detail

CCPA is a consumer privacy law that will be coming into effect on January 1, 2020. The bill – which is aggressive for American privacy policy standards – will put guidelines on personal information collection and post-data-acquisition data usage by businesses.

Who Does it Apply to?
CCPA will apply to any business that operates in California (whether it is a California business or not).

Let’s Define “Personal Information.”
Before we start getting into the specifics of the law, we need to define personal information (as defined by CCPA.) Personal information, in the case of the bill, is a broad term. It includes obvious things such as names, addresses, SSNs, and email addresses. However, the term extends further. It includes geolocation, IP addresses, shopping or browsing history, psychological profiles, behaviors, attitudes, consumption behaviors, and consumer preferences.

Or put into more eloquent terms – literally everything.

The Right to Opt Out
Consumers now have the right to “opt-out” of a business selling their information. By the definition of this bill – which is very broad -, almost everything B2B transfer of information will be considered a sale of information.

This means that third-party businesses will not be able to sell customer information post-acquisition unless the customer has received a notice and is given a right to “opt-out” first.

The Right to Access
Consumers can request access to their personal information that a business has stored. In other words, a consumer may ask what information a business has collected on them, and that business will be required to detail what specific type of information was collected.

The Right to Delete
Consumers can request to have their information deleted, and businesses must comply.

There are a few (a bunch of) exceptions to this including transactions, security incidents, errors, free speech, compliance with various other acts (like CalEPCA,) research, internal uses, and legal compliance.

Opt-in for Children
Businesses will be required to collect opt-in for children under the age of 16. For children that are under 13, the opt-in must be collected from a parent or guardian.

Note: Because of COPPA, businesses will need to ask consumers if they are under 16 – otherwise, they could get fined. So, basically, you will need to ask people if they are under 16 so that you can ask them if you can collect data on them.

Do Not Sell My Personal Information
Businesses that are subject to CCPA will be required to insert a link on their homepage — as well as in their privacy policy — that leads to an opt-out page for consumers (which they must be able to access without signing up for anything).

What About the Stick?

Currently, penalties in the law can include up to $7,500 per incident. Meaning that a data breach involving 10,000 customers could end up costing a business as much as $75 million.

Issues

There are a few issues that need to be ironed out before the law makes its way into 2020. The legislation is expected to be cleaned and prepped by the time 2020 rolls around. Mostly, cleanup is just a few legislative errors (and a lot of clarification,) but there is one major issue that sticks out to us.

Section 1789.125 (b) which permits businesses to offer different prices and incentives to customers who allow data collection.

This section directly contrasts Section 1798.125 (a) which denies charging or suggesting different prices rates or different quality levels to consumers based on opt-in.

Creating a “fuzzy” area surrounding businesses offering opt-in incentives is certainly not a good area to have conflict in. We are hoping this is cleared up by the time the bill is enforced.

Being prepared

The CCPA has a big impact on the digital ecosystem, and we’re going to see major shifts in what and how much data is collected. The most crucial step a company can take, right now, is figuring out what data they have, where, and with whom. If you haven’t started redoing your privacy policy, that’s your next step. In the interim, you may want to consider minimizing your data “touches” and only handle data that is immediately important to legal and business needs.

If you’re prepared for GDPR you are ahead, but CCPA is slightly different, so you still have some work to do. If you haven’t done much with GDPR, you can get started with our Marketer’s Guide To GDPR Compliance to help you navigate your way through the changing consumer privacy laws.